CMMC POA&Ms Explained: What You Can and Cannot Defer

Executive Brief

A Plans of Action and Milestones (POA&Ms) can be a useful tool and bridge to full compliance, but under Cybersecurity Maturity Model Certification (CMMC), they are tightly constrained.

For CMMC Level 2, a POA&M is not a blanket “we’ll fix it later” option. It’s only allowed for limited, low-point items, and only if you hit the minimum scoring threshold for a Conditional result.

Some requirements can never be deferred, including your System Security Plan (SSP) and several controls tied to protecting Controlled Unclassified Information (CUI).

If you earn Conditional status, you have 180 days to close the POA&M and complete a closeout assessment. If you miss that window, your Conditional status expires.

Dig deeper below.

The misconception: “A POA&M means we can still pass”

A POA&M is not a workaround for missing core security capabilities.

Under the CMMC program rule (Title 32 of the Code of Federal Regulations (32 CFR) Part 170), POA&Ms are only permitted to reach a Conditional CMMC status, and only for select requirements scored NOT MET.

Also important: CMMC Level 1 does not allow POA&Ms at all.

What you can defer at CMMC Level 2

For CMMC Level 2, you can only use a POA&M if all three conditions are true:

• You hit the 80% threshold: Your assessment score divided by total Level 2 requirements must be ≥ 0.8.
• Only low-point items: POA&M items must be 1-point requirements only under the CMMC scoring methodology.
• One narrow exception: CUI Encryption (SC.L2-3.13.11) can be on a POA&M only if encryption exists but is not Federal Information Processing Standards (FIPS) validated (a 3-point condition).

This matters for your Supplier Performance Risk System (SPRS) score too: scores, SSP accuracy, and POA&Ms need to match reality, not intention.

What you cannot put on a POA&M at CMMC Level 2

Start with the big rule: for a Conditional Level 2 result, your POA&M cannot include any requirement worth more than 1 point (with a narrow exception for SC.L2-3.13.11 CUI Encryption in a specific scenario).

That means most higher-impact 3-point and 5-point requirements are automatically off the table.

Then there’s a second restriction that catches teams off guard: even if a requirement is only 1 point, the rule explicitly prohibits these six items from being placed on a POA&M:

• AC.L2-3.1.20 External Connections (CUI Data)
• AC.L2-3.1.22 Control Public Information (CUI Data)
• CA.L2-3.12.4 System Security Plan (SSP)
• PE.L2-3.10.3 Escort Visitors (CUI Data)
• PE.L2-3.10.4 Physical Access Logs (CUI Data)
• PE.L2-3.10.5 Manage Physical Access (CUI Data)

This matters because these are core “program integrity” requirements. If they are not MET, your documentation and CUI boundary controls are not defensible, regardless of point value.

In plain language: you cannot defer foundational CUI boundary controls, your SSP, or key physical protection requirements tied to CUI.

The 180-day clock: Conditional is temporary

If you receive Conditional CMMC Level 2 (Self) or Conditional Level 2 (Certified Third-Party Assessment Organization (C3PAO)), you have 180 days from the Conditional CMMC Status Date to:

• Remediate every POA&M item
• Complete a POA&M closeout assessment that verifies those items are now MET

Closeout rules depend on assessment type:

• For a Level 2 self-assessment, the Organization Seeking Assessment (OSA) performs the closeout self-assessment.
• For a Level 2 certification assessment, an authorized C3PAO must perform the closeout certification assessment.

Miss the deadline and the Conditional status expires.

How to use POA&Ms the right way

If you are planning around a Conditional outcome, build your strategy like this:

• Plan your remediation priorities around scoring weights to ensure core controls are MET
• Treat 1-point items as your only “maybe.” Everything else should be “MET or no-go.”
• Write POA&Ms like an assessor will read them: specific gap, owner, evidence plan, completion date.
• Align SSP and evidence early: an SSP that lags behind your environment creates scoring risk.
• Use tooling to track closure: compliance platforms can help manage evidence and POA&M lifecycle, but they do not replace implementation.

FAQs

Can we use POA&Ms to “pass” CMMC Level 2 if we are missing major controls?

No, Conditional status does not fully satisfy Level 2 certification requirements – it just buys you some more time to work on non-critical controls. If you are missing major controls, you likely will not be achieving Conditional or Final certification even with a POA&M.

Is a POA&M closeout just paperwork?

No. A POA&M closeout assessment evaluates only the NOT MET items from the initial assessment, and it must confirm those items are now MET within 180 days of your Conditional CMMC Status Date.

Do POA&Ms affect our SPRS submission?

Yes. A credible Supplier Performance Risk System (SPRS) score depends on an accurate System Security Plan (SSP) and honest accounting of what is fully implemented versus tracked in a POA&M. Treat your score as a compliance artifact that must be defensible.

Helpful ISI Links

• CMMC Self-Assessment: When to Self-Assess for Level 2
• Why AI Fails without Organizational Change Management
• Who is Responsible for Protecting CUI?
• Steal Our CMMC Level 2 Readiness Strategy